Control: Resource logs in Event Hub should be enabled
Description
Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.eventhub_namespace_logging_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.eventhub_namespace_logging_enabled --shareSQL
This control uses a named query:
with logging_details as ( select distinct name as namespace_name from azure_eventhub_namespace, jsonb_array_elements(diagnostic_settings) setting, jsonb_array_elements(setting -> 'properties' -> 'logs') log where diagnostic_settings is not null and ( ( (log ->> 'enabled') :: boolean and (log -> 'retentionPolicy' ->> 'enabled') :: boolean and (log -> 'retentionPolicy') :: JSONB ? 'days' ) or ( (log ->> 'enabled') :: boolean and ( log -> 'retentionPolicy' ->> 'enabled' <> 'true' or setting -> 'properties' ->> 'storageAccountId' = '' ) ) ))select v.id as resource, case when v.diagnostic_settings is null then 'alarm' when l.namespace_name is null then 'alarm' else 'ok' end as status, case when v.diagnostic_settings is null then v.name || ' logging not enabled.' when l.namespace_name is null then v.name || ' logging not enabled.' else v.name || ' logging enabled.' end as reason , v.resource_group as resource_group , sub.display_name as subscriptionfrom azure_eventhub_namespace as v left join logging_details as l on v.name = l.namespace_name, azure_subscription as subwhere sub.subscription_id = v.subscription_id;